CVE-2023-4244 – Use-after-free in Linux kernel's netfilter: nf_tables component
https://notcve.org/view.php?id=CVE-2023-4244
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Due to a race condition between nf_tables netlink control plane transaction and nft_set element garbage collection, it is possible to underflow the reference counter causing a use-after-free vulnerability. We recommend upgrading past commit 3e91b0ebd994635df2346353322ac51ce84ce6d8. Una vulnerabilidad de use-after-free en el netfilter del kernel de Linux: nf_tables componente puede ser explotado para lograr la escalada de privilegios locales. Debido a una condición de ejecución entre nf_tables transacción del plano de control de enlace de red y la recolección de elementos no utilizados de nft_set, es posible desbordar el contador de referencia causando una vulnerabilidad de use-after-free. Recomendamos actualizar al commit anterior 3e91b0ebd994635df2346353322ac51ce84ce6d8. A use-after-free flaw was found in the Linux kernel’s nftables sub-component due to a race problem between the set GC and transaction in the Linux Kernel. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e91b0ebd994635df2346353322ac51ce84ce6d8 https://kernel.dance/3e91b0ebd994635df2346353322ac51ce84ce6d8 https://lists.debian.org/debian-lts-announce/2023/10/msg00027.html https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://access.redhat.com/security/cve/CVE-2023-4244 https://bugzilla.redhat.com/show_bug.cgi?id=2235306 • CWE-416: Use After Free •
CVE-2023-4208 – Use-after-free in Linux kernel's net/sched: cls_u32 component
https://notcve.org/view.php?id=CVE-2023-4208
A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81. Una vulnerabilidad de Use After Free en el componente net/sched: cls_u32 del kernel de Linux puede ser explotada para conseguir una escalada local de privilegios. Cuando se llama a u32_change() en un filtro existente, toda la estructura tcf_result se copia siempre en la nueva instancia del filtro. Esto causa un problema cuando se actualiza un filtro vinculado a una clase, ya que tcf_unbind_filter() siempre llama a la instancia antigua en la ruta de éxito, disminuyendo filter_cnt de la clase aún referenciada y permitiendo que se elimine, lo que lleva a un Use After Free. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 https://kernel.dance/3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81 https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://www.debian.org/security/2023/dsa-5492 https://access.redhat.com/security/cve/CVE-2023-4208 https://bugzilla.redhat.com/show_bug.cgi?id=2225511 • CWE-416: Use After Free •
CVE-2023-4207 – Use-after-free in Linux kernel's net/sched: cls_fw component
https://notcve.org/view.php?id=CVE-2023-4207
A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. Se puede explotar una vulnerabilidad de use-after-free en el componente Linux kernel's net/sched: cls_fw para conseguir una escalada local de privilegios. Cuando se llama a fw_change() en un filtro existente, toda la estructura tcf_result se copia siempre en la nueva instancia del filtro.Esto causa un problema cuando se actualiza un filtro vinculado a una clase, ya que tcf_unbind_filter() siempre llama a la instancia antigua en la ruta de éxito, disminuyendo filter_cnt de la clase aún referenciada y permitiendo que se elimine, lo que lleva a un Use After Free. Recomendamos actualizar el commit a partir de 76e42ae831991c828cffa8c37736ebfb831ad5ec. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=76e42ae831991c828cffa8c37736ebfb831ad5ec https://kernel.dance/76e42ae831991c828cffa8c37736ebfb831ad5ec https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://www.debian.org/security/2023/dsa-5492 https://access.redhat.com/security/cve/CVE-2023-4207 https://bugzilla.redhat.com/show_bug.cgi?id=2225511 • CWE-416: Use After Free •
CVE-2023-4206 – Use-after-free in Linux kernel's net/sched: cls_route component
https://notcve.org/view.php?id=CVE-2023-4206
A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8. Una vulnerabilidad de use-after-free en el componente net/sched: cls_route del kernel de Linux se puede explotar para lograr una escalada de privilegios local. Cuando se llama a route4_change() en un filtro existente, toda la estructura tcf_result siempre se copia en la nueva instancia del filtro. Esto causa un problema al actualizar un filtro vinculado a una clase, ya que siempre se llama a tcf_unbind_filter() en la instancia anterior en la ruta exitosa, lo que disminuye filter_cnt de la clase a la que todavía se hace referencia y permite que se elimine, lo que lleva a un use-after-free. • https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 https://kernel.dance/b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8 https://lists.debian.org/debian-lts-announce/2024/01/msg00004.html https://www.debian.org/security/2023/dsa-5492 https://access.redhat.com/security/cve/CVE-2023-4206 https://bugzilla.redhat.com/show_bug.cgi?id=2225511 • CWE-416: Use After Free •
CVE-2023-3777 – Use-after-free in Linux kernel's netfilter: nf_tables component
https://notcve.org/view.php?id=CVE-2023-3777
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. When nf_tables_delrule() is flushing table rules, it is not checked whether the chain is bound and the chain's owner rule can also release the objects in certain circumstances. We recommend upgrading past commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. Una vulnerabilidad de Use-After-Free en el componente netfilter: nf_tables del kernel de Linux puede explotarse para lograr una escalada de privilegios local. Cuando nf_tables_delrule() vacía las reglas de la tabla, no se verifica si la cadena está vinculada y la regla del propietario de la cadena también puede liberar los objetos en determinadas circunstancias. Recomendamos actualizar al pasado commit 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8. A use-after-free flaw was found in the Linux kernel's netfilter: nf_tables component, which can be exploited to achieve local privilege escalation. • http://packetstormsecurity.com/files/175072/Kernel-Live-Patch-Security-Notice-LSN-0098-1.html http://packetstormsecurity.com/files/175963/Kernel-Live-Patch-Security-Notice-LSN-0099-1.html https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 https://kernel.dance/6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8 https://www.debian.org/security/2023/dsa-5492 https://access.redhat.com/security/cve/CVE-2023-3777 https://bugzilla.redhat.com/show_bug.cgi?id=223 • CWE-416: Use After Free •